The security industry needs fewer touchdowns, more interceptions

When I hear this phrase, I often think back to the 2001 Super Bowl. From what I can remember of that night -- I was a senior at Syracuse University at the time, and the $1.50 Labatt Blues were definitely flowing, so cut me some slack if I'm a little fuzzy on the details -- I'm fairly certain the relentless D of the Baltimore Ravens made mincemeat of the New York Giants.

It was a fairly boring game, and the Ravens were a fairly boring team all season long, but because they bent, yet rarely broke, while in defense of their end zone, they were the ones hoisting the Lombardi Trophy, not the hometown Boys in Blue.

I reference this memory not to reveal how drunk I was for Super Bowl XXV -- or how cheap the drinks were -- but because I think the outcome of the game applies to the information security industry, now more than ever before.

We've seen at least four major security companies -- HBGary, RSA, Comodo and Barracuda Networks -- fall to attack this year. And, outside of our industry, experts concede that most, if not all, of the Fortune 100 likely have lost intellectual property to hackers.

Are we now ready to accept that some of today's malware is too sophisticated to detect, and vulnerable entryways within organizations are too prevalent to completely plug?

It's inevitable. The bad guys are going to get in. Actually, never mind, they are here already. Might as well offer them a Labatt Blue because, like it or not, they are crashing the party. They got their varsity jacket on, and they're eyeing the person you're interested in.

So what is there to do?

I've written before about the bane of compliance and its negative effect on the advancement of innovative security solutions. But I think the problem runs deeper than that. And a partial blame may lie with the culture we've created.

Thanks to heavily attended and widely publicized events, such as Black Hat, we have come to think of security researchers like rock stars – bestowing seemingly unending praise on them each time they discover a gaping vulnerability that can lead to devastating attacks.

That is in no way to cast aspersion on white-hat researchers. No doubt, their discoveries have led to more awareness about the weaknesses of the systems, platforms and underlying infrastructure on which we rely on a daily basis. And they expend countless hours doing the work they do.

But the problem is that there appears to be a gaping imbalance between offensive and defensive research that needs some closing. This has never seemed more evident than right now.

Marc Maiffret, the CTO of eEye Digital Security, raised this concern to me in a recent conversation. Maiffret knows a thing or two about being on the offensive side – he discovered many of the earliest Microsoft vulnerabilities back when he was barely old enough to drive – but over the years he has had an awakening, of sorts.

He said he grew tired of it. "I kind of got sick of it in a way, it got repetitive and I don't know if it's helping people," Maiffret told me.

The information security industry of today is much like the military industry, he said. where "it's all about who is creating the better and coolest missile." (Think HBGary Federal). Many of our industry's smartest minds are looking for the next way to break into a computer and not using their "talent and brainpower" to learn "how do we actually stop these things?" he said.

But we don't have to take this lying down. The security industry can – no, must – do a better job of creating defensive remedies that will limit the scope of the damage that "advanced persistent threats (APT)" cause and make the efforts of adversaries way more challenging than they would like.

Maybe that means security vendors providing more information about how exactly their products work, or maybe victim end-users need to do a better job of communicating what methods they used to repel an APT, or maybe that means solutions creators need to drop group-think and idealize outside of the box to create more innovative stuff.

Or perhaps that means making defense more glamorous and sexy.

Vegas, anyone?

"I've always wanted to do [a conference] that is the complete opposite of what you see with Black Hat," Maiffret told me.

Executive Editor Dan Kaplan, based in New York, has been with SC Magazine since January 2006.
He writes monthly features on varying IT security topics and contributes daily breaking news and multimedia items for SCMagazine.com.
In addition, he is responsible for editing and managing editorial content on the website, and takes the lead role of editing the monthly magazine. He regularly meets with industry experts and leading vendors to discuss the latest trends in the marketplace.
He previously worked as a reporter for the Asbury Park Press in New Jersey. He graduated from Syracuse University with a degree in journalism. He resides in Brooklyn.